You're being asked to change all of your passwords to protect yourself from the "Heartbleed Bug"

The breakdown affects encryption technology that is supposed to protect online accounts for emails, instant messaging and a range of e-commerce. Security experts are advising people to change all their online passwords -- but only after Internet services affected by Heartbleed install software released yesterday to fix the problem.

But changing all of your passwords can be cumbersome, never mind confusing in some cases.

But the password security firm LastPass has set up a website for you to check which sites have been compromised.

The Heartbleed Bug came to light after the Canada Revenue Agency temporarily cut off public access to its electronic services over security concerns, preventing Canadians from being able to file their taxes online.

In a statement posted on its website, the CRA says it has temporarily shut down public access to its online services to safeguard the integrity of the information it holds.

The affected services include EFILE, NETFILE, My Account, My Business Account and Represent a Client.

It says it's working to restore safe and secure access as soon as possible.

Computer security experts warn the Heartbleed threat went undetected for more than two years.

They say it has exposed millions of passwords, credit card numbers and other sensitive bits of information to potential theft by computer hackers.

Meanwhile, researchers are advising people to change all of their passwords.

The flaw was discovered independently in recent days by researchers at Google Inc. and the Finnish security firm Codenomicon.

The breach involves SSL/TLS, an encryption technology marked by the small, closed padlock and ``https:'' on Web browsers to signify that traffic is secure. With the Heartbleed flaw, traffic was subject to snooping even if the padlock had been closed.

The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet.

Tech Analyst Carmi Levy joins Moore in the Morning to explain why Heartbleed could be one of the biggest web security threats in recent years and says you should change your internet passwords as soon as possible...

Researchers at Codenomicon say that OpenSSL is used by two of the most widely used Web server software, Apache and nginx. That means many websites potentially have this security flaw. OpenSSL is also used to secure email, chats and virtual private networks, which are used by employees to connect securely with corporate networks.

Despite the worries, Codenomicon said many large consumer sites don't have the problem because of their ``conservative choice'' of equipment and software. ``Ironically smaller and more progressive services or those who have upgraded to (the) latest and best encryption will be affected most,'' the security firm added.

A fix came out Monday, but affected websites and service providers must install the update.

Yahoo's Tumblr blogging service uses OpenSSL. In a blog post Tuesday, officials at the service said they had no evidence of any breach and had immediately implemented the fix.

``But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit,'' Tumblr's blog post read. ``This might be a good day to call in sick and take some time to change your passwords everywhere _ especially your high-security services like email, file storage, and banking, which may have been compromised by this bug.''

Yahoo Inc. said its other services, including email, Flickr and search, also have the vulnerability. The company said some of the systems have already been fixed, while work is being done on the rest of Yahoo's websites.

The company reiterated its standard recommendation for people to change passwords regularly and to add a backup mobile number to the account. That number can be used to verify a user's identity if there are problems accessing the account because of hacking.

Leave a comment:

Reset Password

Simply confirm your registered email address below and click "Reset Password." We will immediately email you a link back to the site where you can enter a new password for this account.

Account E-mail:

Becoming a member only takes 60 seconds! Members get access to exclusive information and products that non-members do not, including concert ticket presales, trips, advance notice on upcoming entertainment events, movie screening passes, music giveaways and more!

I've never trusted online cloud storage and am always paranoid about access. This is precisely one reason why.In any case, your best bet now is to use a password management software, that will keep track of all the passwords you create, as well as generate very good passwords. Also, people should take advantage of the two-step verification process if a website offers it. I know Google Mail offers it- as well as many bank websites- even Paypal has it too. This helps protect your account should the password be compromised.

@Karl Burgin
.Yes, that's a good point Karl, - the two-step verification process that is like a password required to use a password.

About cloud storage, well that, I think is the same traffic access as in a chat room or email as the data always flows to a privately owned server.

No one ever said at Google or MSN that the data they "pass thru" can't be archived, mined and used against the user years down the road. That could apply to every email in business, government. Emails that contain documents, photos and media.

About the Heartbleed bug, If huge masses are affected, then that makes me feel better as that would make me a needle in a haystack. There would be time to escape the problem before any damage could be done..

@Peter
It's not so much the money I'm concerned about- even though that in itself of funds being stolen is a fear nevertheless. The bigger concern is ID theft/compromise. That is something even harder to recover/keep under control than stolen money- if it were ever compromised.

And if passwords are already compromised, I wonder if password "strength" would be of any help (i.e. password made up of alpha-numeric series with a capital and a symbol).

@Karl Burgin
I think password strength has a limited effect on any account being hacked. Most hacks don't occur because someone's sitting there guessing your password. So unless your password is "password", or something similarly easy, it's not generally something to fear too much. If they get hold of your password, it will probably be via some sort of keylogger script, in which case it won't really matter how complicated it is. They'll still have it. This is where 2 step verification comes in handy.

As for biometrics, not sure that technology is quite where it needs to be, yet.

"Researchers are advising people to change all of their passwords." - BUT - "A fix came out Monday, but affected websites and service providers must install the update." So if you change your password before a website has installed the fix, isn't your new password then as vulnerable as the old one was?

@Bettie
I spent the morning changing all the important passwords- I have close to 100 accounts throughout for different sites, so it may take a while for me.But as for the important banking ones, not only did I change the passwords, but the 2-step verification process as well- so it isn't the same as the last.

@Karl Burgin
Change and Protect your Passwords NOW. Don't fall victim to the "Heartbleed" Bug. Americans Right to Privacy Recommends: Visit www.americansrighttoprivacy.com and purchase the Patriot Privacy Package which includes not only secure e-mail but two services that will protect you against this severe threat. One touch VPN but choose the L2TP protocol when connecting and DigitalSafe which will not only store and secure your passwords but also has the valuable password generator tool which will allow you to change your password securely! Please note: The reason why DigitalSafe will protect you against this ongoing threat is the fact that not only do you store and secure your username and password but you put the link to the particular website on the note as well. You access the secure website through DigitalSafe and by encrypting the data before it is sent not during neutralizes the Open Source "Heartbleed" bug

i dont trust anything online and this is why . cloud or nothing . look what happened to mega upload . thay got raided by the FBI and customers lost all of there data . thay filled mutl trillion dollar lawsuit agents the government and are still on going as we speck . the best way to store files is if u can afford it . a big USB hardrive . thats what i do .

This does not affect Microsoft Windows servers. There is a fine line between being cost conious and being cheap. Dumo all of those crappy cheap unix servers with open source software and install Windows. Not vulnerable (this time anyway)

i would rather have Linux on my computer it is way better then Microsoft the only problum is i am a gamer and non of the games i have run on Linux . not to many people can track someone on a open source cause that os will not let .exe files to install . plus nobody can accuse u of software piracy . if it is open source .

it would not surprise me if the MSA has something to do with this as well as the bleeding hart bug . .

Now here is an opportunity where BlackBerry can possibly shine. Their security is second-to-none. Now if they could only develop a desktop O/S or make a partnership with Microsoft.It still wouldn't resolve the HTTPS security exploit, but it would nice to have an alternative to Linux, Windows and Mac

anybody ever heard of spyware it is a little program and gos into the temp files of your web browser it reads all of the files called cookies it also watches what u are doing on your keyboard . it gives out that info to the person who makes the program so he can steal your info . so have a firewall installed as well as a anti virus program use a anti spyware program use it to scan your hardrive . and keep it up to date .

@don was right
That isn't altogether true.From the hundreds of computer I've treated for malware, spyware, rootkits and trojans, the most common places that these infections hide IS in the temp folder for your web browser. Which is why its common practice to clear the cache every so often.I think what JOHN is referring to are keyloggers, which in fact either sometimes disguises themselves as cookies, trojans, or the worst of them all- rootkits.

FYI:Just came across this It checks to see if the site you're registered with/login to is vulnerable to the HeartBleed exploit. Hope this helps.http://possible.lv/tools/hb/http://filippo.io/Heartbleed/

And this is a Google Chrome add-on meant to run in the background:https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic

Here is the website I usually reference- just to show the links above are 100% safe:http://community.spiceworks.com/topic/472382-heartbleed-openssl-vuln-site-checker?page=1#entry-3182966

"Heartbleed Bug," has been crawling around the internet for a staggering two years. Introduced to glom on to the system known as OpenSSL back in December of 2011 and in the wild since Open SSL v1.0.1, this bug has been on the web since the 14th of March, 2012. The good news is that there’s a patch for this bug already released - the bad news is that an unknown amount of individuals could already have been targeted by hackers taking advantage of the bug. The other bad news is that there’s a growing list of websites that still have the non-patched SSL version 1.0.1 software running on their network.

Dont know how much Data has already been hacked as its a two year old Bug.

This problem is growing fast and it is happening on all levels, from homes to businesses. Unfortunately, this problem is getting worse as deliberate errors into software or hardware designs, many of which are developed in collaboration with the NSA; or by recommending the use of security protocols that the NSA knows to be insecure, in its dual role as cryptographic standards-setter and codebreaker. Because of this, the safeguards have been broken down to gain access to your information making it easier than ever for hackers and cyber criminals.Americans Right to Privacy Recommends: Visit www.americansrighttoprivacy.com and purchase the Patriot Privacy Package which includes not only secure e-mail but two services that will protect you against this severe threat. One touch VPN but choose the L2TP protocol when connecting and DigitalSafe which will not only store and secure your passwords but also has the valuable password generator tool which will allow you to change your password securely! Please note: The reason why DigitalSafe will protect you against this ongoing threat is the fact that not only do you store and secure your username and password but you put the link to the particular website on the note as well. You access the secure website through DigitalSafe and by encrypting the data before it is sent not during neutralizes the Open Source "Heartbleed" bug.

STAY CONNECTED

You're being asked to change all of your passwords to protect yourself from the "Heartbleed Bug"

The breakdown affects encryption technology that is supposed to protect online accounts for emails, instant messaging and a range of e-commerce. Security experts are advising people to change all their online passwords -- but only after Internet services affected by Heartbleed install software released yesterday to fix the problem.

But changing all of your passwords can be cumbersome, never mind confusing in some cases.

But the password security firm LastPass has set up a website for you to check which sites have been compromised.

The Heartbleed Bug came to light after the Canada Revenue Agency temporarily cut off public access to its electronic services over security concerns, preventing Canadians from being able to file their taxes online.

In a statement posted on its website, the CRA says it has temporarily shut down public access to its online services to safeguard the integrity of the information it holds.

The affected services include EFILE, NETFILE, My Account, My Business Account and Represent a Client.

It says it's working to restore safe and secure access as soon as possible.

Computer security experts warn the Heartbleed threat went undetected for more than two years.

They say it has exposed millions of passwords, credit card numbers and other sensitive bits of information to potential theft by computer hackers.

Meanwhile, researchers are advising people to change all of their passwords.

The flaw was discovered independently in recent days by researchers at Google Inc. and the Finnish security firm Codenomicon.

The breach involves SSL/TLS, an encryption technology marked by the small, closed padlock and ``https:'' on Web browsers to signify that traffic is secure. With the Heartbleed flaw, traffic was subject to snooping even if the padlock had been closed.

The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet.

Tech Analyst Carmi Levy joins Moore in the Morning to explain why Heartbleed could be one of the biggest web security threats in recent years and says you should change your internet passwords as soon as possible...

Researchers at Codenomicon say that OpenSSL is used by two of the most widely used Web server software, Apache and nginx. That means many websites potentially have this security flaw. OpenSSL is also used to secure email, chats and virtual private networks, which are used by employees to connect securely with corporate networks.

Despite the worries, Codenomicon said many large consumer sites don't have the problem because of their ``conservative choice'' of equipment and software. ``Ironically smaller and more progressive services or those who have upgraded to (the) latest and best encryption will be affected most,'' the security firm added.

A fix came out Monday, but affected websites and service providers must install the update.

Yahoo's Tumblr blogging service uses OpenSSL. In a blog post Tuesday, officials at the service said they had no evidence of any breach and had immediately implemented the fix.

``But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit,'' Tumblr's blog post read. ``This might be a good day to call in sick and take some time to change your passwords everywhere _ especially your high-security services like email, file storage, and banking, which may have been compromised by this bug.''

Yahoo Inc. said its other services, including email, Flickr and search, also have the vulnerability. The company said some of the systems have already been fixed, while work is being done on the rest of Yahoo's websites.

The company reiterated its standard recommendation for people to change passwords regularly and to add a backup mobile number to the account. That number can be used to verify a user's identity if there are problems accessing the account because of hacking.

Leave a comment:

Reset Password

Simply confirm your registered email address below and click "Reset Password." We will immediately email you a link back to the site where you can enter a new password for this account.

Account E-mail:

Becoming a member only takes 60 seconds! Members get access to exclusive information and products that non-members do not, including concert ticket presales, trips, advance notice on upcoming entertainment events, movie screening passes, music giveaways and more!

I've never trusted online cloud storage and am always paranoid about access. This is precisely one reason why.In any case, your best bet now is to use a password management software, that will keep track of all the passwords you create, as well as generate very good passwords. Also, people should take advantage of the two-step verification process if a website offers it. I know Google Mail offers it- as well as many bank websites- even Paypal has it too. This helps protect your account should the password be compromised.

@Karl Burgin
.Yes, that's a good point Karl, - the two-step verification process that is like a password required to use a password.

About cloud storage, well that, I think is the same traffic access as in a chat room or email as the data always flows to a privately owned server.

No one ever said at Google or MSN that the data they "pass thru" can't be archived, mined and used against the user years down the road. That could apply to every email in business, government. Emails that contain documents, photos and media.

About the Heartbleed bug, If huge masses are affected, then that makes me feel better as that would make me a needle in a haystack. There would be time to escape the problem before any damage could be done..

@Peter
It's not so much the money I'm concerned about- even though that in itself of funds being stolen is a fear nevertheless. The bigger concern is ID theft/compromise. That is something even harder to recover/keep under control than stolen money- if it were ever compromised.

And if passwords are already compromised, I wonder if password "strength" would be of any help (i.e. password made up of alpha-numeric series with a capital and a symbol).

@Karl Burgin
I think password strength has a limited effect on any account being hacked. Most hacks don't occur because someone's sitting there guessing your password. So unless your password is "password", or something similarly easy, it's not generally something to fear too much. If they get hold of your password, it will probably be via some sort of keylogger script, in which case it won't really matter how complicated it is. They'll still have it. This is where 2 step verification comes in handy.

As for biometrics, not sure that technology is quite where it needs to be, yet.

"Researchers are advising people to change all of their passwords." - BUT - "A fix came out Monday, but affected websites and service providers must install the update." So if you change your password before a website has installed the fix, isn't your new password then as vulnerable as the old one was?

@Bettie
I spent the morning changing all the important passwords- I have close to 100 accounts throughout for different sites, so it may take a while for me.But as for the important banking ones, not only did I change the passwords, but the 2-step verification process as well- so it isn't the same as the last.

@Karl Burgin
Change and Protect your Passwords NOW. Don't fall victim to the "Heartbleed" Bug. Americans Right to Privacy Recommends: Visit www.americansrighttoprivacy.com and purchase the Patriot Privacy Package which includes not only secure e-mail but two services that will protect you against this severe threat. One touch VPN but choose the L2TP protocol when connecting and DigitalSafe which will not only store and secure your passwords but also has the valuable password generator tool which will allow you to change your password securely! Please note: The reason why DigitalSafe will protect you against this ongoing threat is the fact that not only do you store and secure your username and password but you put the link to the particular website on the note as well. You access the secure website through DigitalSafe and by encrypting the data before it is sent not during neutralizes the Open Source "Heartbleed" bug

i dont trust anything online and this is why . cloud or nothing . look what happened to mega upload . thay got raided by the FBI and customers lost all of there data . thay filled mutl trillion dollar lawsuit agents the government and are still on going as we speck . the best way to store files is if u can afford it . a big USB hardrive . thats what i do .

This does not affect Microsoft Windows servers. There is a fine line between being cost conious and being cheap. Dumo all of those crappy cheap unix servers with open source software and install Windows. Not vulnerable (this time anyway)

i would rather have Linux on my computer it is way better then Microsoft the only problum is i am a gamer and non of the games i have run on Linux . not to many people can track someone on a open source cause that os will not let .exe files to install . plus nobody can accuse u of software piracy . if it is open source .

it would not surprise me if the MSA has something to do with this as well as the bleeding hart bug . .

Now here is an opportunity where BlackBerry can possibly shine. Their security is second-to-none. Now if they could only develop a desktop O/S or make a partnership with Microsoft.It still wouldn't resolve the HTTPS security exploit, but it would nice to have an alternative to Linux, Windows and Mac

anybody ever heard of spyware it is a little program and gos into the temp files of your web browser it reads all of the files called cookies it also watches what u are doing on your keyboard . it gives out that info to the person who makes the program so he can steal your info . so have a firewall installed as well as a anti virus program use a anti spyware program use it to scan your hardrive . and keep it up to date .

@don was right
That isn't altogether true.From the hundreds of computer I've treated for malware, spyware, rootkits and trojans, the most common places that these infections hide IS in the temp folder for your web browser. Which is why its common practice to clear the cache every so often.I think what JOHN is referring to are keyloggers, which in fact either sometimes disguises themselves as cookies, trojans, or the worst of them all- rootkits.

FYI:Just came across this It checks to see if the site you're registered with/login to is vulnerable to the HeartBleed exploit. Hope this helps.http://possible.lv/tools/hb/http://filippo.io/Heartbleed/

And this is a Google Chrome add-on meant to run in the background:https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic

Here is the website I usually reference- just to show the links above are 100% safe:http://community.spiceworks.com/topic/472382-heartbleed-openssl-vuln-site-checker?page=1#entry-3182966

"Heartbleed Bug," has been crawling around the internet for a staggering two years. Introduced to glom on to the system known as OpenSSL back in December of 2011 and in the wild since Open SSL v1.0.1, this bug has been on the web since the 14th of March, 2012. The good news is that there’s a patch for this bug already released - the bad news is that an unknown amount of individuals could already have been targeted by hackers taking advantage of the bug. The other bad news is that there’s a growing list of websites that still have the non-patched SSL version 1.0.1 software running on their network.

Dont know how much Data has already been hacked as its a two year old Bug.

This problem is growing fast and it is happening on all levels, from homes to businesses. Unfortunately, this problem is getting worse as deliberate errors into software or hardware designs, many of which are developed in collaboration with the NSA; or by recommending the use of security protocols that the NSA knows to be insecure, in its dual role as cryptographic standards-setter and codebreaker. Because of this, the safeguards have been broken down to gain access to your information making it easier than ever for hackers and cyber criminals.Americans Right to Privacy Recommends: Visit www.americansrighttoprivacy.com and purchase the Patriot Privacy Package which includes not only secure e-mail but two services that will protect you against this severe threat. One touch VPN but choose the L2TP protocol when connecting and DigitalSafe which will not only store and secure your passwords but also has the valuable password generator tool which will allow you to change your password securely! Please note: The reason why DigitalSafe will protect you against this ongoing threat is the fact that not only do you store and secure your username and password but you put the link to the particular website on the note as well. You access the secure website through DigitalSafe and by encrypting the data before it is sent not during neutralizes the Open Source "Heartbleed" bug.